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EXAMINER'S ANSWER 



This is in response to the appeal brief filed 25 March 2008 appealing from the Office action mailed 26 
October 2007. 
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(1) Real Party in Interest 

A statement identifying by name the real party in interest is contained in the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, or judicial proceedings which 
will directly affect or be directly affected by or have a bearing on the Board's decision in the pending 
appeal. 

(3) Status of Claims 

The statement of the status of claims contained in the brief is correct. 

(4) Status of Amendments After Final 

The appellant's statement of the status of amendments after final rejection contained in the 
brief is correct. 

(5) Summary of Claimed Subject Matter 

The summary of claimed subject matter contained in the brief is correct. 

(6) Grounds of Rejection to be Reviewed on Appeal 

The appellant's statement of the grounds of rejection to be reviewed on appeal is correct. 
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(7) Claims Appendix 



The copy of the appealed claims contained in the Appendix to the brief is correct. 



(8) Evidence Relied Upon 



6,453353 



Win et al 



9-2002 



7,028,180 



Aull et al 



4-2006 



6,760,711 



Gillett et al 



7-2004 



(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 

Claims 1-7, 9-15, and 17-23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Win et al US Patent No. 6,453,353 in view of Gillett et al US Patent No. 6,760,71 1 . 

With regards to claims 1, 9, 17, Win teaches a computer program product, system, and 
method for implementing electronic commerce systems comprising a web site being accessible by 
one or more users (Win, column 4 lines 20-30 and 34-67, web server with components stored on 
physical server), the computer readable code means representing the users (Win, column 5 lines 12- 
15, registered users, column 4 lines 45-51), each user being associated with a unique identity in the 
system (Win, column 6 lines 1-10, users associated with a particular login, column 6 lines 40-45, 
associated with a particular username), computer readable program code means for associating a 
user identity with one of a set of access roles for a security domain (Win, column 5 lines 44-54, 
associates each user with access rights defined by their role), the access role defining access 
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privileges for the user corresponding to the user identity (Win, column 5 lines 44-54, associates each 
user with access rights defined by their role), computer readable program code means for granting or 
denying access to a user attempting to access a portion of the web site by determining the user 
identity for the user (Win, column 8 lines 10-16, grants access based upon the user identity, column 3 
lines 1-6, denies access based on user identity, column 8 lines 36-46) and determining the access 
role associated with the user identity for the security domain corresponding to the portion of the web 
site subject to the access attempt (Win, column 6 lines 10-16). Win fails to teach the security 
domains comprising a subset of the set of organizations and the on-line stores associated with the 
organizations in the subset. However, Gillett teaches security domains comprising a subset of the set 
of organizations and the on-line stores associated with the organizations in the subset (Gillett, column 
3 lines 28-60, online stores, column 4 lines 1-10, column 8 lines 20-40). At the time the invention was 
made, it would have been obvious to a person of ordinary skill in the art to utilize Gillett's 
organizational design using online stores because it offers the advantage of allowing small merchants 
to set up online stores while having a centralized ISP provide the security and maintenance of the 
websites thereby diminishing the threat of misuse of information (Gillett, column 1 lines 35-62 and 
column 1 lines 1-15). 

With regards to claims 2, 10, and 18, Win as modified teaches carrying out the determination 
of the access role associated with a user identity for a security domain at user logon time (Win, 
column 6 lines 10-16, when logging in, authorized resources are determined and presented to user). 

With regards to claims 3, 11, and 19, Win as modified teaches the set of access roles 
comprising registered customers and administrator roles (Win, column 4 lines 44-50, roles include 
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users and administrators, column 5 lines 20-33, users include the role of customer, column 16 lines 3- 
12). 

With regards to claims 4-6, 12-14, and 20-22, Win as modified teaches computer readable 
program code means operable to define the set of organizations as a tree structure (Gillett, Figure 1, 
tree structure with ISP 26 as root and merchant computers 24 as leaves. Win, column 5 lines 20-32 
and lines 55-56, functional groups of roles own lesser roles), in which the computer readable program 
code means for associating a user identity with one of a set of access roles further comprises 
computer readable program code means for associating the user identity with the access role for a 
selected one of the set of organizations (Win, column 5 lines 24-29, associates users with a particular 
organization) and computer readable program code means for defining the security domain to include 
the selected organization (Win, column 5 lines 33-39) and those organizations in the set that are 
descendants of the selected organization (Win, column 5 lines 54-56). 

With regards to claims 7, 15, and 23, Win as modified teaches computer readable program 
code means for maintaining and providing look up functionality for a table (Win, column 13 lines 50- 
52, database tables, column 15 lines 44-46, table of user names and user types and look up 
functionality provided by Registry Repository) comprising rows comprising data representing user 
identity, organization, and access role associations (Win, column 16 lines 46-53, record includes 
name, role, and privileges). 

Claims 8, 16, and 24 are rejected under 35 U.S.C. 103(a) as being unpatentable over Win et 
al US Patent No. 6,453,353 and Gillett et al US Patent No. 6,760,71 1 , as applied to claims 1 , 9, and 
17 above, and in further view of Aull et al US Patent No. 7,028,180. 
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With regards to claims 8, 16, and 24, Win as modified fails to teach computer readable 
program code means for providing user identities with associated access roles at user registration to 
a website. However, Aull teaches computer readable program code means for providing user 
identities with associated access roles at user registration to a website (Aull, column 9 lines 6-21 , 
registers using web server and receives role certificate). At the time the invention was made, it would 
have been obvious to a person of ordinary skill in the art to utilize Aull's registration method because 
it offers the advantage of providing a method by which all parties involved may give their approval to 
the granting of a role to a user (Aull, column 9 lines 10-21). 

(10) Response to Argument 

Appellant has argued that on pages 3-7 that Win in combination with Gillett fails to render 
claim 1 7 obvious for failure to teach all of the claimed limitations. Examiner respectfully disagrees. 

Appellant initially argues that Gillett fails to teach the subject matter of the preamble including 
"the web site being accessible by one or more users and comprising a set of on-line stores and a set 
of organizations." (Appeal Brief, Page 3). Examiner respectfully disagrees. Gillett teaches the web 
site comprising a set of online stores and a set of organizations (Gillett, column 3 lines 28-60, online 
stores, column 4 lines 1-10 and column 8 lines 20-40). Gillett teaches the limitation by disclosing an 
organization in the form of a merchant creating online stores (Gillett, column 3 lines 27-33) in the form 
of a website (Gillett, column 3 lines 40-45). Gillett further teaches that the website is accessible to 
one or more users (Gillett, column 3 lines 28-60) because websites are accessible to users where the 
users could include any individual Internet web surfer. In the alternative, the website being 
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accessible to one or more users could be interpreted as Gillett's merchant accessing or setting up 
their online stores (Gillett, column 3 lines 45-55). 

Appellant further argues on page 4 that Gillett fails to teach "the security domain comprising a 
subset of the set of organizations and the on-line stores associated with the organizations in the 
subset." Examiner respectfully disagrees. Gillett teaches a security domain comprising a subset of 
organizations and the on-line stores associated with the organizations in the subset (Gillett, column 3 
lines 28-60, online stores, column 4 lines 1-10, column 8 lines 20-40). Gillett teaches a set of 
organizations by teaching that multiple merchants (organizations) utilize the ISP to create on-line 
stores (Gillett, column 3 lines 28-60, online stores). Each single merchant (organization) and its 
associated on-line stores would be a subset of the whole set of merchants (organizations). Gillett 
teaches that each merchant has a separate security domain by disclosing that each merchant has 
special security control over his online stores through encryption, decryption, and authentication 
(Gillett, column 8 lines 20-40, column 8 lines 52-64). As a result, Examiner maintains that Gillett 
teaches a security domain comprising a subset of the set of organizations in the form of a single 
merchant. 

Appellant further argues on page 6 that Win fails to teach "granting or denying access to a user 
attempting to access a portion of the web site by determining the user identity for the user and 
determining the access role associated with the user identity for the security domain corresponding to 
the portion of the web site subject to the access attempt." Examiner respectfully disagrees. Initially, 
Examiner notes that Appellant has admitted that Win teaches automatically granting access to users 
have the stored association role, automatically denying access to users who do not have roles (see 
Appeal Brief, Page 6). Thus, Appellant admits that Win teaches granting or denying access to a user 
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by determining the access role associated with the user identity. Further, Win teaches granting or 
denying access to a user attempting to access a portion of the web site by determining the user 
identity for the user (Win, column 8 lines 10-25, grants access based upon the user identity, column 3 
lines 1-6, denies access based on user identity, column 8 lines 36-46) and determining the access 
role associated with the user identity for the security domain corresponding to the portion of the web 
site subject to the access attempt (Win, column 6 lines 10-16). Win teaches the limitation in question 
by teaching determining the identity of the user by authentication (Win, column 8 lines 4-16) and then 
determining if a user has the correct role associated with their user identity to access the particular 
portion of the website they are attempting to access (Win, column 8 lines 1 0-25). If a user's role 
authorizes the user to access a particular resource/website then the user will be granted access to 
that particular resource/website (Win, column 8 lines 28-45, column 8 lines 46-61, static HTML web 
page is the protected resource). Further, Win teaches the particular portion of the website to which 
access is requested comprises a security domain because it has an associated security level or role 
requirement in order to gain access that is separate from other protected websites and resources 
(Win, column 8 lines 45-61). 

Appellant further argues that the rejections of claims 1 8-23 are improper for the same reasons 
as provided for claim 17. For the reasons stated above. Examiner maintains that the rejections of 
claims 18-23 are proper. 

Appellant has argued that on pages 8-9 that Win in combination with Gillett fails to render 
claims 20-22 obvious for failure to teach all of the claimed limitations. Examiner respectfully 
disagrees. 
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Appellant argues on pages 8-9 that Win and Gillett fail to teach "defining a set of organizations 
as a tree structure." Examiner respectfully disagrees. Win and Gillett teach the set of organizations 
as a tree structure (Gillett, Figure 1 , tree structure with ISP 26 as root and merchant computers 24 as 
leaves. Win, column 5 lines 20-38 and lines 55-56, functional groups of roles own lesser roles). 
Specifically, Gillett teaches a tree structure with an ISP as a root node and merchants as leaves in a 
tree structure where the merchants further contain leaves as online stores (see Figure 1 and column 
3 lines 28-55). Gillett's merchant owned and ISP hosted system is set up as a tree whereby a single 
ISP hosts multiple merchants who own one or more online stores (see Figure 1 and column 3 lines 
28-55). 

Appellant further argues on page 10 that Win and Gillett fail to teach "defining the security 
domain to include the selected organization and those organizations in the set that are descendants 
of the selected organization." Examiner respectfully disagrees. As noted above, Gillett's system is 
composed of an ISP who hosts merchants (organizations) who own storefronts. Further, each 
merchant (organization) exercises special control of their merchant account and all descendant online 
storefronts (Gillett, column 8 lines 20-40, column 8 lines 52-64). Thus, the security domain 
encompasses the selected organization (merchant) and those organizations in the set that are 
descendents of the selected organization (the merchant's online stores). 

Appellant has argued that on pages 10-1 1 that Win in combination with Gillett fails to render 
claim 23 obvious for failure to teach all of the claimed limitations. Examiner respectfully disagrees. 

Appellant argues on pages 10-1 1 that Win and Gillett fail to teach "maintaining and providing 
look up functionality for a table comprising rows comprising data representing user identity. 
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organization, access role associations." Examiner respectfully disagrees. Win teaches maintaining 
and providing look up functionality for a table (Win, column 13 lines 50-52, database tables, column 
15 lines 44-46, table of user names and user types and look up functionality provided by Registry 
Repository) comprising rows comprising data representing user identity, organization, and access 
role associations (Win, column 16 lines 46-53, record includes name, role, and privileges, column 13 
lines 45-57, database for a particular organization) by teaching database tables and a registry 
repository. These are both composed of rows of data that may be accessed in a look up operation. 
Further, data representing user identity, organization, and access role associations is stored by the 
administration application allowing the lookup and assignment of security roles (Win, column 13 lines 
7-22). Appellant asserts that Win fails to disclose an "organization" being part of the table; however. 
Win teaches that the tables are for a particular organization (Win, column 13 lines 45-58). Thus, 
Examiner maintains that Win's table includes organization as well as user identity and access role 
associations (Win, column 16 lines 46-53, record includes name, role, and privileges, column 13 lines 
45-57, database for a particular organization). 

Appellant has argued on pages 12-13 that the combination of Win and Gillett lacks motivation. 
Examiner respectfully disagrees. It would have been obvious to a person of ordinary skill in the art to 
utilize Gillett's organizational design using online stores because it offers the advantage of allowing 
small merchants to set up online stores while having a centralized ISP provide the security and 
maintenance of the websites thereby diminishing the threat of misuse of information (Gillett, column 1 
lines 30-62 and column 1 lines 1-15). Contrary to Appellant's assertion, this advantage of Gillett is 
precisely the reason for incorporating Gillett's security domains comprising a subset of the set of 
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organizations and the online stores associated with the organizations in the subset. Gillett provides 
ample motivation in that Gillett suggests an advantage that most merchants do not have the 
wherewithal to manage their websites and security and thus it is an advantage to offload those 
processes to an ISP. Thus, in combining Win and Gillett, Win's access control and role based 
security is improved by allowing an ISP based centralized online merchant system with security 
domains for each merchant which ensures that each merchant's private data is kept private and 
reduces the likelihood of misuse of information (Gillett, column 1 lines 30-62 and column 1 lines 1- 
15). As a result, Win's access control and role based security system could be applied to an 
organization (merchant) and its subset of online stores which would aid in protecting merchant 
information that is valuable and sensitive and ensure that only selected users can gain access to that 
information or to prohibited resources of the merchant (Win, column 1 lines 47-65). 

The motivation and reasoning detailed above applies with equal weight to Appellant's 
arguments regarding motivation to combine Win and Gillett for claims 20-22 because Win and Gillett 
were effectively combined through parent claim 17. Examiner has established a prima facie case of 
obviousness for claim 17, the parent claim of claims 20-22, and thus the motivation for combination is 
the same as that for claim 17. 

Appellant has argued that on pages 16-17 that Win in combination with Gillett and Aull fails to 
render claim 24 obvious for failure to teach all of the claimed limitations and for lack of motivation to 
combine. Examiner respectfully disagrees. 

Appellant argues on page 16 that Win, Gillett and Aull fail to teach providing user identities with 
associated access roles at user registration to a website. Examiner respectfully disagrees. Aull 
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teaches providing user identities witli associated access roles at user registration to a website (Aull, 
column 9 lines 6-21 , registers using web server and receives role certificate). Aull teaches the 
limitation in question by teaching a user who provides his identity (Aull, column 9 lines 35-42) and 
registers at a registration web server (Aull, column 9 lines 5-15). The user is then processed and 
approved to receive a role certificate which grants to the user access to be able to add or delete 
members of a particular role (Aull, column 8 lines 60-67). Thus, Aull teaches providing user identities 
with associated access roles at user registration to a website. 

Appellant further argues against the motivation to combine Aull with Win and Gillett. It would 
have been obvious to a person of ordinary skill in the art to utilize Aull's registration method because 
it offers the advantage of providing a method by which all parties involved may give their approval to 
the granting of a role to a user (Aull, column 9 lines 10-21). Aull provides further motivation for using 
the registration and role certificate method in that the certificate provides simple and fast methods of 
indicating proper approval, authority, or acceptance to the granting of a role to a user (Aull, column 2 
lines 13-29). By combining Aull with Win and Gillett, the role based access systems of Win would be 
improved by enhancing the granting of roles by ensuring that only role grants are only given upon the 
approval of all necessary parties. Thus, Examiner maintains that a prima facie case of obviousness 
has been shown. 

(11) Related Proceeding(s) Appendix 

No decision rendered by a court or the Board is identified by the examiner in the Related 
Appeals and Interferences section of this examiner's answer. 
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For the above reasons, it is believed that the rejections should be sustained. 
Respectfully submitted, 
/Andrew L Nalven/ 
Examiner, Art Unit 2134 

Conferees: 
Kambiz Zand 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2134 
/KIMYEN VU/ 

Supervisory Patent Examiner, Art Unit 2135 



